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SYSTEM, DEVICE, AND METHOD FOR RECEIVER ACCESS CONTROL 
IN A MULTICAST COMMUNICATION NETWORK 

FIELD OF THE INVENTION 

The present invention relates generally to communication systems, and more 
particularly to an architecture for receiver access control and accounting in a multicast 
communication network. 

BACKGROUND OF THE INVENTION 

In today's information age, communication networks are often used for transporting 
information from an information provider to one or more information consumers. 

One technique for transporting information from an information provider to a 
group of information consumers over the communication network is known as 
"multicasting." Multicasting allows the information provider (referred to hereinafter as a 
"multicast source") to transmit a single unit of multicast information (referred to 
hereinafter as a "multicast packet") simultaneously to all information consumers (referred 
to hereinafter individually as a "multicast client" and collectively as "multicast clients") in 
the multicast group, specifically by addressing the multicast packet to the multicast group 
using a multicast address. The multicast clients monitor the communication network for 
multicast packets addressed to the multicast group. 

In order to distribute multicast packets from a particular multicast source S to the 
multicast clients for a particular multicast group G, the multicast packet is routed through 
the communication network by a number of routers. The communication network may 
include multiple routing domains, and therefore the multicast packet may traverse multiple 
routing domains. Each router runs various routing protocols to determine, among other 
things, a "next hop" for each packet based upon address information in the packets. Such 
routing information is used to establish a multicast distribution tree (referred to hereinafter 
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as the "shared tree"), and is maintained by each router in one or more routing tables (often 
referred to as a "routing information base"). 

One problem that plagues many multicast communication networks is security, or 
more specifically, the lack thereof. Many multicast communication networks are based 
upon an anonymous receiver model in which any host can join the shared tree, for 
example, using multicast group management protocol such as the Internet Group 
Management Protocol (IGMP). IGMP is described in Fenner, Internet Engineering Task 
Force (IETF) Request for Comments (RFC) 2236 entitled Internet Group Management 
Protocol, Version 2 (November 1997) and in Cain et aL, Internet Engineering Task Force 
(IETF) Internet Draft draft-ietf-idmr-igmp-v3-04.txt entitled Internet Group Management 
Protocol, Version 3 (June 2000), which are hereby incorporated herein by reference in 
their entireties. This anonymous receiver model exposes the shared tree to various types 
of attacks. 

One attempt to protect the shared tree involves the use of data encryption to 
prevent unauthorized hosts from accessing multicast data. For data encryption, a group- 
wide encryption key (referred to hereinafter as the "group key") is used to encrypt and 
decrypt all multicast data for a particular multicast group. The group key is distributed to 
the multicast source as well as to all authorized multicast clients (hosts). The multicast 
source uses the group key to encrypt the multicast data, while all authorized multicast 
clients use the group key to decrypt the multicast data. Unauthorized hosts that receive the 
encrypted multicast data are unable to decrypt the multicast data, and are therefore 
prevented from accessing the multicast data. 

Another attempt to protect the shared tree involves the authentication of control 
messages between multicast routers. Specifically, the multicast routers exchange various 
control messages for, among other things, joining the shared tree. These control messages 
are authenticated hop-by-hop according to a predetermined authentication scheme. By 
authenticating all control messages, only authorized multicast routers are able to join the 
shared tree. 

Unfortunately, neither data encryption nor control message authentication prevents 
an unauthorized host from joining the shared tree and thereby consuming valuable 
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communication resources. Because authentication operates only between the multicast 
routers, an unauthorized host can still join the shared tree, specifically by sending a join 
request, for example, using IGMP or other group management mechanism. The multicast 
routers establish the appropriate multicast routes for routing multicast packets to the 
unauthorized host, perhaps even using authentication to perform hop-by-hop 
authentication. As a member of the shared tree, the unauthorized host receives multicast 
packets. This is true even if the multicast packets are protected using data encryption, in 
which case the unauthorized host simply discards the encrypted multicast data. 

Thus, a technique for controlling access in a multicast communication network is 

needed. 



In accordance with one aspect of the invention, each subscriber location is treated 
as a separate subnetwork having one and only one multicast receiver. An access device is 
situated at each subscriber location. Each access device connects to a separate port of a 
multicast distribution device. Each subscriber device accesses the multicast network 
through the access device that is situated at its subscriber location. Each access device 
acts as a proxy for its respective subscriber devices by joining and leaving multicast 
groups on behalf of the subscriber devices and acting as the sole multicast receiver for the 
subscriber location. The access devices run a multicast group management protocol for 
joining and leaving various multicast groups, and therefore the access devices appear to 
the multicast distribution device as the ultimate multicast receivers for multicast 
information. The access devices maintain group membership information their respective 
subscriber devices and distribute multicast information to their respective subscriber 
devices accordingly. 



SUMMARY OF THE INVENTION 



BRIEF DESCRIPTION OF THE DRAWINGS 
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The foregoing and other objects and advantages of the invention will be 
appreciated more fully from the following further description thereof with reference to the 
accompanying drawings wherein: 

FIG. 1 is a system diagram showing an exemplary communication system in 
accordance with an embodiment of the present invention; 

FIG. 2 is a block diagram showing the relevant logic blocks of an exemplary access 
device in accordance with an embodiment of the present invention; 

FIG. 3 is a logic flow diagram showing exemplary access device switching logic 
for processing a join request from a subscriber device in accordance with an embodiment 
of the present invention; 

FIG. 4 is a logic flow diagram showing exemplary access device switching logic 
for processing a multicast packet received from the multicast distribution device in 
accordance with an embodiment of the present invention; 

FIG. 5 is a logic flow diagram showing exemplary access device switching logic 
when a subscriber device leaves a multicast group in accordance with an embodiment of 
the present invention; 

FIG. 6 is a logic flow diagram showing exemplary multicast distribution device 
logic for processing a join request from an access device in accordance with an 
embodiment of the present invention; 

FIG. 7 is a logic flow diagram showing exemplary multicast distribution device 
logic when an access device leaves a multicast group in accordance with an embodiment 
of the present invention; 

FIG- 8 is a system diagram showing an exemplary communication system in 
accordance with an embodiment of the present invention in which the multicast 
distribution device is a multicast router in a multicast network; 

FIG. 9 is a system diagram showing an exemplary communication system in 
accordance with an embodiment of the present invention in which the multicast 
distribution device is a multicast server; and 
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FIG. 10 is a system diagram showing an exemplary communication system in 
accordance with an embodiment of the present invention in which the multicast 
distribution device is a multicast switch. 

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

An embodiment of the present invention provides receiver access control and 
accounting in a multicast network by treating each subscriber location as a separate 
subnetwork having one and only one multicast receiver. Specifically, an access device is 
situated at each subscriber location. Each access device connects to a separate port of a 
multicast distribution device (e.g., multicast router or server). Each subscriber device 
accesses the multicast network through the access device that is situated at its subscriber 
location. Each access device acts as a proxy for its respective subscriber devices by 
joining and leaving multicast groups on behalf of the subscriber devices and acting as the 
sole multicast receiver for the subscriber location. The access devices are not part of the 
multicast network in that the access devices do not run a multicast routing protocol (e.g., 
PIM). Instead, the access devices run a multicast group management protocol (e.g., 
IGMP) for joining and leaving various multicast groups, and therefore the access devices 
appear to the multicast distribution device as the ultimate multicast receivers for multicast 
information. The access devices maintain group membership information their respective 
subscriber devices and distribute multicast information to their respective subscriber 
devices accordingly. 

Because each subnetwork has one and only one multicast receiver (i.e., the access 
device situated at the subscriber location), multicast group management protocol messages 
emanate from one and only one source per subnetwork (i.e., the access device situated at 
the subscriber location). Using an access control database that is preconfigured with 
information about the access devices, the multicast distribution device is able to identify 
and authenticate the source of each multicast group management protocol message, and is 
also able to track network utilization for each subscriber location (such as the multicast 
group memberships, the duration of multicast group memberships, and the amount of data 
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delivered for each multicast group membership). The multicast distribution device does 
not identify, authenticate, and track individual subscriber devices, and therefore subscriber 
devices can be added or removed from subscriber locations without affecting the multicast 
distribution device. 

HG. 1 shows an exemplary communication system 100 in accordance with an 
embodiment of the present invention. The communication system 100 includes a 
multicast distribution device 120 coupled to an accounting system 1 10, an access control 
database 130, and a number of subscriber locations. For the sake of simplicity, only one 
subscriber location 140 is shown. Each subscriber location, including the subscriber 
location 140, includes an access device 141 and one or more subscriber device(s) 142. 
Each access device, including the access device 141, is coupled to a separate port of the 
multicast distribution device 120. 

Architecturally, the communication system 100 may be used in many applications. 
For example, the communication system 100 may be used in a hotel or apartment building, 
where each hotel room or apartment represents a subscriber location. A single multicast 
distribution device may be used to distribute multicast information to the various hotel 
rooms or apartments. In order to support receiver access control and accounting, each 
hotel room or apartment is associated with an access device through which subscriber 
devices access the multicast network. In such a communication system, the multicast 
distribution device may be, for example, a multicast router that is part of a larger multicast 
network (e.g., a designated router in a PIM network) or a multicast server (e.g., a video 
server in a video-on-demand network). The access device is typically a switch. 

In order for a subscriber device to join a particular multicast group, the subscriber 
device sends a join request to the access device, for example, using a multicast group 
management protocol such as IGMP. Upon receiving the join request from the subscriber 
device, the access device determines whether the access device is already joined to the 
multicast group, specifically by checking a membership database that is maintained by the 
access device. If the access device is already joined to the multicast group, then the access 
device begins forwarding multicast information for the multicast group to the subscriber 
device. However, if the access device is not already joined to the multicast group, then the 
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access device sends a join request to the multicast distribution device, for example, using a 
multicast group management protocol such as IGMP. Upon joining the multicast group, 
the access device updates its membership database and begins forwarding multicast 
information for the multicast group to the subscriber device. The multicast distribution 
device establishes appropriate multicast routes for routing multicast information for the 
multicast group to the access device. 

FIG. 2 is a block diagram 200 showing the relevant logic blocks of an exemplary 
access device 141. The access device 141 includes, among other things, a network 
interface 202 for coupling with the multicast distribution device 120, switching logic 204, 
a subscriber interface 206 for coupling with the subscriber device(s) 142, and a 
membership database 208. 

The switching logic 204 supports a first multicast group management protocol for 
communicating with the subscriber device(s) 142 over the subscriber interface 206 as well 
as a second multicast group management protocol for conmiunicating with the multicast 
distribution device 120 over the network interface 202. In a typical embodiment of the 
present invention, both the first multicast group management protocol and the second 
multicast group management protocol are IGMP. In this way, the presence of the access 
device 141 between the multicast distribution device 120 and the subscriber device(s) 142 
is substantially transparent, since the multicast distribution device 120 and the subscriber 
device(s) 142 utilize IGMP as they would without the access device 141 present. 

The switching logic 204 joins and leaves multicast groups on behalf of the 
subscriber devices 142. The switching logic 204 maintains multicast group membership 
information in the membership database 208. The multicast group membership 
information includes the multicast groups joined by the switching logic 204 and a list of 
subscriber devices associated with each multicast group membership. 

When the switching logic 204 receives a join request from a subscriber device 142 
over the subscriber interface 206 for joining a multicast group, the switching logic 204 
checks the membership database 208 to determine whether there is already a membership 
for the multicast group. If there is already a membership for the multicast group, then the 
switching logic 204 adds the subscriber device 142 to the list of subscriber devices 
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associated with the multicast group. If there is not already a membership for the multicast 
group, then the switching logic 204 sends a join request to the multicast distribution device 
120 over the network interface 202 in order to join the multicast group on behalf of the 
subscriber device 142. The switching logic 204 updates the membership information in 
the membership database 208 to add the multicast group membership to the membership 
database 208 and also to add the subscriber device to the list of subscriber devices 
associated with the multicast group, 

FIG. 3 is a logic flow diagram showing exemplary switching logic 300 for 
processing a join request from a subscriber device. Beginning at block 302, and upon 
receiving a join request from a subscriber device to join a multicast group, in block 304, 
the logic checks the membership database to determine whether there is already a 
membership for the multicast group, in block 306. If there is already a membership for the 
multicast group (YES in block 308), then the logic adds the subscriber device to the list of 
subscriber devices associated with the multicast group, in block 314). If there is not 
already a membership for the multicast group (NO in block 308), then the logic sends a 
join request to the multicast distribution device to join the multicast group on behalf of the 
subscriber device, in block 310. Once the multicast group membership is established, the 
logic adds the multicast group membership to the membership database, in block 312, and 
also adds the subscriber device to the list of subscriber devices associated with the 
multicast group, in block 314. The logic 300 terminates in block 399. 

When the multicast distribution device 120 receives the join request from the 
access device 141 for joining the multicast group, the multicast distribution device 120 
identifies the access device 141, for example, based upon the port over which the join 
request is received. In addition to identifying the access device 141, the multicast 
distribution device 120 may also authenticate the access device 141 using a predetermined 
authentication scheme such as IPsec AH together with various access control information 
obtained from the access control database 130 (e.g., an authentication key for the access 
device). Assuming that the access device 141 is authentic (i.e., identified and/or 
authenticated by the multicast distribution device 120), the multicast distribution device 
120 establishes appropriate multicast routes for forwarding multicast information for the 
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multicast group to the access device 141. This may involve, for example, joining a shared 
multicast distribution tree for the multicast group using a predetermined multicast routing 
protocol such as PIM. The multicast distribution device 120 then forwards multicast 
information for the multicast group to the access device 141. 

FIG. 6 is a logic flow diagram showing exemplary multicast distribution device 
logic 600 for processing a join request from an access device. Beginning at block 602, and 
upon receiving a join request from an access device to join a multicast group, in block 604, 
the logic identifies the access device, in block 606, for example, based upon the port over 
which the join request is received. The logic may authenticate the access device further, in 
block 608, using a predetermined authentication scheme. If the access device is authentic 
(YES in block 610), then the logic establishes appropriate multicast routes for forwarding 
multicast packets for the multicast group to the access device, in block 612, and thereafter 
forwards multicast packets for the multicast group to the access device, in block 614. If 
the access device is not authentic (NO in block 610), then the logic does not establish 
appropriate multicast routes for forwarding multicast packets for the multicast group to the 
access device and does not forward multicast packets for the multicast group to the access 
device. The logic 600 terminates in block 699. 

After the switching logic 204 establishes a multicast group membership on behalf 
of one or more subscriber devices, the switching logic 204 receives multicast information 
from the multicast distribution device 120 over the network interface 202 and forwards the 
multicast information to all subscriber devices in the list of subscriber devices associated 
with the multicast group. Specifically, when the switching logic 204 receives a multicast 
packet for a multicast group from the multicast distribution device 120 over the network 
interface 202, the switching logic 204 checks the membership database 208 to determine 
whether there is a multicast group membership for the multicast group. If there is a 
multicast group membership for the multicast group, then the switching logic 204 obtains 
the list of subscriber devices associated with the multicast group from the membership 
database and forwards the multicast packet to the subscriber devices associated with the 
multicast group. If there is not a multicast group membership for the multicast group, then 
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the switching logic 204 does not forward the multicast packet to the subscriber devices 
(i.e., the switching logic 204 drops the multicast packet). 

FIG. 4 is a logic flow diagram showing exemplary switching logic 400 for 
processing a multicast packet. Beginning at block 402, and upon receiving a multicast 
packet for a multicast group from the multicast distribution device, in block 404, the logic 
checks the membership database to determine whether there is a membership for the 
multicast group, in block 406. If there is a membership for the multicast group (YES in 
block 408), then the logic obtains the list of subscriber devices associated with the 
multicast group from the membership database, in block 410, and forwards the multicast 
packet to the subscriber devices associated with the multicast group, in block 412. If there 
is not already a membership for the multicast group (NO in block 408), then the logic 
drops the packet. The logic 400 terminates in block 499. 

The switching logic 204 maintains a particular multicast group membership as long 
as there is at least one subscriber device 142 that is joined to the multicast group. The 
switching logic 204 may use various means for determining whether a particular 
subscriber device remains a member of a particular multicast group. For example, the 
switching logic 204 may utilize the IGMP query/report mechanism to determine the 
multicast group memberships for all subscriber devices, in which case the switching logic 
204 sends IGMP query messages to the subscriber devices and the subscriber devices 
report their multicast group memberships in IGMP report messages. Alternatively, the 
subscriber devices may send explicit leave requests to the access device 141 for leaving 
multicast groups. 

In any case, when the switching logic 204 determines that a particular subscriber 
device is no longer a member of a particular multicast group, the switching logic 204 
removes the subscriber device from the list of subscriber devices associated with the 
multicast group in the membership database 208. The switching logic 204 then determines 
whether there are any remaining members of the multicast group, specifically by 
determining whether there are any remaining subscriber devices in the list of subscriber 
devices associated with the multicast group. If there are no remaining members of the 
multicast group, then the switching logic 204 leaves the multicast group, for example, by 
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omitting the multicast group from IGMP report messages sent to the multicast distribution 
device 120 or by sending an explicit leave request to the multicast distribution device 120. 

FIG. 5 is a logic flow diagram showing exemplary switching logic 500 when a 
subscriber device leaves a multicast group. Beginning at block 502, and upon determining 
that a subscriber device has left a multicast group, in block 504, the logic removes the 
subscriber device from the list of subscriber devices associated with the multicast group in 
the membership database, in block 506. The logic then determines whether there are any 
remaining members of the multicast group, specifically by determining whether there are 
any remaining subscriber devices in the multicast group, in block 508, specifically by 
determining whether there are any remaining subscriber devices in the list of subscriber 
devices associated with the multicast group. If there are no remaining members of the 
multicast group (NO in block 510), then the logic leaves the multicast group, in block 512. 
If there is at least one remaining member of the multicast group (YES in block 510), then 
the logic maintains the multicast group membership. The logic 500 terminates in block 
599. 

When the multicast distribution device 120 determines that the access device 141 
is no longer a member of a particular multicast group, the multicast distribution device 120 
stops forwarding multicast information for the multicast group to the access device 141. 
The multicast distribution device 120 may also remove itself from a shared multicast 
distribution tree for the multicast group, for example, using a multicast routing protocol 
such as PIM. 

FIG. 7 shows exemplary multicast distribution device logic when an access device 
leaves a multicast group. Beginning at block 702, and upon determining that an access 
device has left a multicast group, in block 704, the multicast distribution device stops 
forwarding multicast packets for the multicast group to the access device, in block 706. 
The logic 700 terminates in block 799. 

FIG. 8 shows an exemplary communication system 800 in which the multicast 
distribution device is a multicast router in a multicast network. The communication 
system 800 includes a multicast distribution device 804 coupled to a multicast network 
802 and to a number of subscriber locations 806i through S06f^. The multicast distribution 
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device 804 maintains multicast group membership information for forwarding multicast 
information to the subscriber locations 806, through 806^. The multicast distribution 
device 804 joins multicast groups in the multicast network 802 on behalf of the access 
devices in the subscriber locations 806i through 806^ and forwards the multicast 
information received over the multicast network 802 to the appropriate subscriber 
locations 806, through 806^ based upon the multicast group memberships of the access 
devices in the subscriber locations 806, through 806^. 

HG. 9 shows an exemplary communication system 900 in which the multicast 
distribution device is a multicast server. The communication system 900 includes a 
multicast distribution device 904 coupled to a multicast database 902 and to a number of 
subscriber locations 906, through 906^- The multicast distribution device 904 maintains 
multicast group membership information for forwarding multicast information to the 
subscriber locations 906, through 906^- The multicast distribution device 904 obtains 
multicast information (such as pay-per-view television information) from the multicast 
database 902 and forwards the multicast information to the appropriate subscriber 
locations 906, through 906i^ based upon the multicast group memberships of the access 
devices in the subscriber locations 906, through 906^. 

HG. 10 shows an exemplary communication system 1000 in which the multicast 
distribution device is a multicast switch. The communication system 1000 includes a 
multicast distribution device 1004 coupled to a multicast server 1002 and to a number of 
subscriber locations 1006, through 1006^. The multicast distribution device 1004 
maintains multicast group membership information for forwarding multicast information 
to the subscriber locations 1006, through 1006^. The multicast distribution device 1004 
forwards multicast information received from the multicast server 1002 to the appropriate 
subscriber locations 1006, through 1006^ based upon the multicast group memberships of 
the access devices in the subscriber locations 1006, through 1006f^. 

Architecturally, an embodiment of the present invention facilitates accounting 
functions performed by the multicast distribution device 120. Because the multicast 
distribution device 120 maintains multicast group memberships for the access devices and 
not for the individual subscriber devices, the multicast distribution device 120 is able to 
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maintain accounting information for each access device rather than for the individual 
subscriber devices. For each access device, the multicast distribution device 120 typically 
tracks such things as the multicast group memberships, the duration of each multicast 
group membership, and the volume of data delivered for the duration of each multicast 
group membership. Billing is also simplified, since all billable items for a particular 
access device correspond to one and only one subscriber location. The multicast 
distribution device 120 maintains accounting/billing information in the accounting system 
110. 

It should be noted that terms such as "router," "switch," and "server" are used 
herein to describe various communication devices that may be used in a communication 
system, and should not be construed to limit the present invention to any particular 
communication device type. Thus, a communication device may include, without 
limitation, a bridge, router, bridge-router (brouter), switch, node, server, or other 
communication device. 

It should also be noted that the term "packet" is used herein to describe a 
communication message that may be used by a communication device (e.g., created, 
transmitted, received, stored, or processed by the communication device) or conveyed by a 
communication medium, and should not be construed to limit the present invention to any 
particular communication message type, communication message format, or 
communication protocol. Thus, a communication message may include, without 
limitation, a frame, packet, datagram, user datagram, cell, or other type of communication 
message. 

It should also be noted that the logic flow diagrams are used herein to demonstrate 
various aspects of the invention, and should not be construed to limit the present invention 
to any particular logic flow or logic implementation. The described logic may be 
partitioned into different logic blocks (e.g., programs, modules, functions, or subroutines) 
without changing the overall results or otherwise departing from the true scope of the 
invention. Often times, logic elements may be added, modified, omitted, performed in a 
different order, or implemented using different logic constructs (e.g., logic gates, looping 
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primitives, conditional logic, and other logic constructs) without changing the overall 
results or otherwise departing from the true scope of the invention. 

The present invention may be embodied in many different forms, including, but in 
no way limited to, computer program logic for use with a processor (e.g., a 
microprocessor, microcontroller, digital signal processor, or general purpose computer), 
programmable logic for use with a programmable logic device (e.g., a Field Programmable 
Gate Array (FPGA) or other PLD), discrete components, integrated circuitry {e.g., an 
Application Specific Integrated Circuit (ASIC)), or any other means including any 
combination thereof. In a typical embodiment of the present invention, predominantly all 
of the switching logic 204 for joining multicast groups on behalf of the subscriber devices, 
leaving multicast groups on behalf of the subscriber devices, maintaining multicast group 
memberships, and forwarding multicast packets to the subscriber devices is implemented 
as a set of computer program instructions that is converted into a computer executable 
form, stored as such in a computer readable medium, and executed by a microprocessor 
within the access device 141 under the control of an operating system. 

Computer program logic implementing all or part of the functionality previously 
described herein may be embodied in various forms, including, but in no way limited to, a 
source code form, a computer executable form, and various intermediate forms (e.g., forms 
generated by an assembler, compiler, linker, or locator). Source code may include a series 
of computer program instructions implemented in any of various programming languages 
(e.g., an object code, an assembly language, or a high-level language such as Fortran, C, 
C++, JAVA, or HTML) for use with various operating systems or operating environments. 
The source code may define and use various data structures and communication messages. 
The source code may be in a computer executable form (e.g., via an interpreter), or the 
source code may be converted (e.g., via a translator, assembler, or compiler) into a 
computer executable form. 

The computer program may be fixed in any form (e.g., source code form, computer 
executable form, or an intermediate form) either permanently or transitorily in a tangible 
storage medium, such as a semiconductor memory device (e.g., a RAM, ROM, PROM, 
EEPROM, or Flash-Programmable RAM), a magnetic memory device (e.g., a diskette or 
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fixed disk), an optical memory device (e.g., a CD-ROM), or other memory device. The 
computer program may be fixed in any form in a signal that is transmittable to a computer 
using any of various communication technologies, including, but in no way limited to, 
analog technologies, digital technologies, optical technologies, wireless technologies, 
networking technologies, and internetworking technologies. The computer program may 
be distributed in any form as a removable storage medium with accompanying printed or 
electronic documentation (e.g., shrink wrapped software), preloaded with a computer 
system (e.g., on system ROM or fixed disk), or distributed from a server or electronic 
bulletin board over the communication system {e.g., the Internet or World Wide Web). 

Hardware logic (including programmable logic for use with a programmable logic 
device) implementing all or part of the functionality previously described herein may be 
designed using traditional manual methods, or may be designed, captured, simulated, or 
documented electronically using various tools, such as Computer Aided Design (CAD), a 
hardware description language {e.g., VHDL or AHDL), or a PLD programming language 
(e.g., PALASM, ABEL, or CUPL). 

Programmable logic may be fixed either permanently or transitorily in a tangible 
storage medium, such as a semiconductor memory device (e.g., a RAM, ROM, PROM, 
EEPROM, or Flash-Programmable RAM), a magnetic memory device (e.g., a diskette or 
fixed disk), an optical memory device (e.g., a CD-ROM), or other memory device. The 
programmable logic may be fixed in a signal that is transmittable to a computer using any 
of various communication technologies, including, but in no way limited to, analog 
technologies, digital technologies, optical technologies, wireless technologies, networking 
technologies, and internetworking technologies. The programmable logic may be 
distributed as a removable storage medium with accompanying printed or electronic, 
documentation (e.g., shrink wrapped software), preloaded with a computer system (e.g., on 
system ROM or fixed disk), or distributed from a server or electronic bulletin board over 
the communication system (e.g., the Internet or World Wide Web). 

Thus, the present invention may be embodied as a multicast communication system 
having a plurality of subscriber locations. Each subscriber location hasg an access device 
through which a number of subscriber devices access multicast information sent by a 
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multicast distribution device. Each access device acts as a sole multicast receiver for its 
respective subscriber location and distributes multicast information received from the 
multicast distribution device to the subscriber devices at its respective subscriber location. 
The multicast distribution device distributes multicast information for a number of 
multicast groups, and each access device uses a predetermined multicast group 
management protocol (e.g., IGMP) to join the multicast groups on behalf its respective 
subscriber devices. 

The present invention may also be embodied as a multicast communication system 
having a multicast distribution device coupled to a plurality of subscriber locations, 
wherein each subscriber location is a separate subnetwork of the multicast distribution 
device. Typically, each subscriber location has one and only one access device through 
which subscriber devices at the subscriber location access multicast information 
distributed by the multicast distribution device. Each access device is typically connected 
to a separate interface of the multicast distribution device, and the multicast distribution 
device identifies each access device based upon the interface to which the access device is 
connected. Each access device joins multicast groups maintained by the multicast 
distribution device on behalf of its respective subscriber devices using a multicast group 
management protocol. The multicast distribution device sends multicast information to 
the access devices based upon multicast group memberships of the access devices, and 
each access device distributes multicast information received from the multicast 
distribution device to its respective subscriber devices. The multicast distribution device 
maintains accounting information for each subnetwork. 

The present invention may also be embodied as an access control method for use in 
a communication system having a multicast distribution device coupled to a plurality of 
subscriber locations. Each subscriber location has an access device and at least one 
subscriber device. The access control method involves maintaining a number of multicast 
groups by the multicast distribution device and joining one of the multicast groups by a 
first subscriber device. Joining one of the multicast groups by the first subscriber device 
involves sending a first join request by the first subscriber device to an access device using 
a first multicast group management protocol, joining the multicast group by the access 
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device on behalf of the first subscriber device, and associating the first subscriber device 
with the multicast group by the access device. Joining the multicast group by the access 
device on behalf of the first subscriber device involves sending a second join request by 
the access device to the multicast distribution device using a second multicast group 
management protocol and authenticating the access device by the multicast distribution 
device. Authenticating the access device by the multicast distribution device involves 
identifying the access device by the multicast distribution device. The access device is 
typically coupled to an interface of the multicast distribution device, in which case 
identifying the access device by the multicast distribution device involves identifying the 
access device based upon the interface over which the second join request is received by 
the multicast distribution device. Authenticating the access device by the multicast 
distribution device may also involve authenticating the access device using a 
predetermined authentication scheme such as IPsec AH. The multicast distribution device 
establishes a multicast group membership for the access device upon determining that the 
access device is authentic, but denies a multicast group membership for the access device 
upon determining that the access device is not authentic. The access device typically 
maintains a list of subscriber devices associated with the multicast group and adds the first 
subscriber device to the list of subscriber devices associated with the multicast group. 

The access control method may also involve leaving the multicast group by the 
first subscriber device, leaving the multicast group by the access device on behalf of the 
first subscriber device, and disassociating the first subscriber device from the multicast 
group by the access device. 

The access control method may also involve joining the multicast group by a 
second subscriber device. Joining the multicast group by the second subscriber device 
involves sending a third join request by the second subscriber device to the access device 
using a third multicast group management protocol and associating the second subscriber 
device with the multicast group by the access device. 

The access control method may also involve leaving the multicast group by one of 
the first subscriber device and the second subscriber device, remaining joined to the 
multicast group by the access device on behalf of the remaining subscriber device, and 
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disassociating said one of the first subscriber device and the second subscriber device from 
the multicast group by the access device. 

The access control method may also involve maintaining accounting information 
by the multicast distribution device for each multicast group for each subscriber location. 

The present invention may also be embodied as an apparatus for operating as a sole 
multicast receiver on behalf of a number of subscriber devices at a subscriber location in a 
multicast communication network. The apparatus includes a network interface couplable 
to a multicast distribution device, a subscriber interface couplable to the number of 
subscriber devices at the subscriber location, and switching logic interposed between the 
network interface and the subscriber interface. The switching logic joins multicast groups 
maintained by the multicast distribution device on behalf of the number of subscriber 
devices and forwards multicast information to the subscriber devices. 

More specifically, the switching logic includes first multicast group management 
logic (e.g., IGMP logic) for controlling first multicast group memberships between the 
apparatus and the subscriber devices, second multicast group management logic (e.g., 
IGMP logic) for controlling second multicast group memberships between the apparatus 
and the multicast distribution device, and membership logic for maintaining said first and 
second multicast group memberships. The membership logic associates the first multicast 
group memberships with the second multicast group memberships, typically by 
maintaining a list of subscriber devices for each of said second multicast group 
memberships. The first multicast group management logic may receive a join request 
from a subscriber device for joining a multicast group, in which case the second multicast 
group management logic may join the multicast group on behalf of the first subscriber 
device and the membership logic associates the first subscriber device with the multicast 
group. The first multicast group management logic may determine that a subscriber device 
has left a multicast group, in which case the membership logic disassociates the subscriber 
device from the multicast group, and the second multicast group management logic 
determines whether there are any remaining subscriber devices associated with the 
multicast group based upon the membership information maintained by the membership 
logic. The second multicast group management logic remains a member of the multicast 
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group upon determining that there is at least one remaining subscriber device associated 
with the multicast group, but leaves the multicast group upon determining that there are no 
remaining subscriber devices associated with the multicast group. 

The present invention may also be embodied as a computer program for controlling 
a computer system. The computer program includes network interface logic for 
communicating with a multicast distribution device, subscriber interface logic for 
communicating with a number of subscriber devices at a subscriber location, and 
switching logic logically interposed between the network interface logic and the subscriber 
interface logic. The switching logic is programmed to join multicast groups maintained by 
the multicast distribution device on behalf of the number of subscriber devices and 
forward multicast information to the subscriber devices. 

More specifically, the switching logic includes first multicast group management 
logic (e.g., IGMP) for controlling first multicast group memberships between the computer 
system and the subscriber devices, second multicast group management logic (e.g., IGMP) 
for controlling second multicast group memberships between the computer system and the 
multicast distribution device, and membership logic for maintaining said first and second 
multicast group memberships. The membership logic associates the first multicast group 
memberships with the second multicast group memberships, typically by maintaining a list 
of subscriber devices for each of said second multicast group memberships. The first 
multicast group management logic may receive a join request from a subscriber device for 
joining a multicast group, in which case the second multicast group management logic 
may join the multicast group on behalf of the first subscriber device and the membership 
logic associates the first subscriber device with the multicast group. The first multicast 
group management logic may determine that a subscriber device has left a multicast group, 
in which case the membership logic disassociates the subscriber device from the multicast 
group, and the second multicast group management logic determines whether there are any 
remaining subscriber devices associated with the multicast group based upon the 
membership information maintained by the membership logic. The second multicast 
group management logic remains a member of the multicast group upon determining that 
there is at least one remaining subscriber device associated with the multicast group, but 
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leaves the multicast group upon determining that there are no remaining subscriber devices 
associated with the multicast group. 

The computer program may be embodied in a computer readable medium or in a 
data signal. 

The present invention may be embodied in other specific forms without departing 
from the true scope of the invention. The described embodiments are to be considered in 
all respects only as illustrative and not restrictive. 



